Linux Kernel Use-After-Free Vulnerability in Binder Netlink Reporting

A use-after-free vulnerability has been identified in the Linux kernel's binder component, specifically within the binder_netlink_report function. This issue arises when one-way transactions are sent to targets that are frozen. Although these transactions return a 'BR_TRANSACTION_PENDING_FROZEN' error, they are incorrectly considered successful, as the target is expected to thaw eventually. The vulnerability occurs because the binder_netlink_report function dereferences a transaction pointer after receiving a pending frozen error, leading to the use of freed memory. This flaw was highlighted by a Kernel Address Sanitizer (KASAN) report, which documented a slab-use-after-free error. The vulnerability affects the Linux kernel stable tree, particularly in version 6.19.0-rc6.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, allowing for memory corruption issues commonly associated with such vulnerabilities, potentially leading to arbitrary code execution or other memory-related attacks.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree to address this vulnerability. The patched version is included in the official Linux kernel releases.